WiFi Hotspot 2.0 (Passpoint): La guía definitiva para un roaming WiFi seguro y sin interrupciones

This guide provides a comprehensive technical overview of WiFi Hotspot 2.0 (Passpoint) for IT leaders. It details the technology, security benefits, and a step-by-step implementation framework for deploying seamless, secure WiFi roaming in enterprise environments like hotels, retail, and large venues, ultimately improving user experience and reducing operational overhead.

📖 8 min read📝 1,845 words🔧 2 examples❓ 3 questions📚 8 key terms

🎧 Listen to this Guide

View Transcript

WiFi Hotspot 2.0 and Passpoint: The Ultimate Guide to Seamless and Secure WiFi Roaming
A Purple Enterprise WiFi Intelligence Briefing

[INTRODUCTION & CONTEXT — approximately 1 minute]

Welcome to the Purple Enterprise WiFi Intelligence series. I'm your host, and today we're tackling a technology that's been quietly transforming how enterprises, venues, and public-sector organisations deliver WiFi connectivity — WiFi Hotspot 2.0, more commonly known as Passpoint.

If you're an IT manager, network architect, or CTO responsible for WiFi at a hotel chain, retail estate, stadium, or conference centre, this briefing is for you. We're going to cover what Passpoint actually is under the bonnet, why it matters for your security posture and guest experience, how to deploy it, and critically — what can go wrong and how to avoid it.

Let's set the scene. Your guests and staff are connecting to WiFi dozens of times a day. Every time they do, they're either wrestling with a captive portal, manually selecting an SSID, or — worst case — connecting to an unencrypted open network. All of that friction, all of that security risk, is unnecessary. Hotspot 2.0 eliminates it. And by the end of this briefing, you'll understand exactly how, and whether it belongs in your network roadmap this quarter.

[TECHNICAL DEEP-DIVE — approximately 5 minutes]

Let's start with the fundamentals. Hotspot 2.0 is the Wi-Fi Alliance's certification programme built on top of the IEEE 802.11u amendment to the WiFi standard. The core problem it solves is what engineers call the "network selection problem." In legacy WiFi, your device scans for a known SSID — a network name — and if it finds one it recognises, it connects. Simple, but brittle. It requires you to have previously connected, it doesn't tell you anything about the network's security posture, and it doesn't support roaming between venues.

Passpoint shifts the paradigm entirely. Instead of looking for a network name, your device looks for a network that supports its credentials. The device asks the access point — before even attempting to connect — "do you support my identity provider?" If the answer is yes, authentication proceeds automatically. No login page. No password. No manual selection. It's the cellular roaming model, applied to WiFi.

The mechanism that makes this possible is called the Generic Advertisement Service, or GAS, combined with the Access Network Query Protocol — ANQP. When a Passpoint-enabled access point broadcasts its beacon, it includes what's called an Interworking Element — essentially a flag that says "I speak 802.11u." Your device sees that flag, sends a GAS request, and inside that request, an ANQP query asks: "What Roaming Consortium Organisational Identifiers do you support?" The access point responds. If there's a match with a profile already on the device, the full WPA2 or WPA3 Enterprise authentication handshake begins.

That authentication uses IEEE 802.1X — the same port-based access control standard used in enterprise wired networks — combined with an EAP method. The most common are EAP-TLS, which uses certificates, EAP-TTLS with username and password tunnelled securely, and EAP-SIM or EAP-AKA for mobile operator SIM-based authentication. The result is a mutually authenticated, fully encrypted session. The device proves its identity to the network, and the network proves its identity to the device. This mutual authentication is what prevents the evil twin and man-in-the-middle attacks that plague open WiFi environments.

Now, a term you'll hear alongside Passpoint is OpenRoaming — the Wireless Broadband Alliance's federation framework. Here's a useful distinction: Passpoint is the vehicle. OpenRoaming is the highway system. Passpoint defines how a device discovers and authenticates to a network. OpenRoaming defines the trust ecosystem that allows an identity provider — say, Google, Samsung, or a mobile operator — and an access provider — your hotel, your stadium, your retail estate — to trust each other's credentials without a bilateral agreement between every pair. OpenRoaming uses a hub-and-spoke PKI model with RadSec tunnels — that's RADIUS over TLS — to proxy authentication requests across the federation. The key Roaming Consortium OI for settlement-free OpenRoaming is 5A-03-BA. You'll also want to broadcast the legacy Cisco OI, 00-40-96, for compatibility with older devices and Samsung OneUI profiles.

From a security compliance perspective, Passpoint is a significant upgrade. WPA3-Enterprise, which Passpoint supports, uses 192-bit security mode and mandates forward secrecy. Every session uses unique encryption keys, so compromising one session doesn't expose historical traffic. For organisations subject to PCI DSS — particularly retail environments processing card payments — or GDPR obligations around personal data, Passpoint's certificate-based authentication means you're not collecting credentials through a web form, reducing your data handling surface area considerably.

There's also a practical benefit around MAC address randomisation. Modern iOS and Android devices randomise their MAC address by default, which breaks traditional captive portal re-authentication flows. Passpoint is immune to this — authentication is credential-based, not MAC-based. Your returning guest connects seamlessly on every visit, regardless of what their device's MAC address happens to be that day.

[IMPLEMENTATION RECOMMENDATIONS & PITFALLS — approximately 2 minutes]

Let me walk you through what a sensible deployment looks like, and where teams typically go wrong.

The first step is an infrastructure audit. Not every access point supports Hotspot 2.0 — you need firmware that implements 802.11u and GAS/ANQP. Most enterprise-grade APs from Cisco, Aruba, Ruckus, Juniper Mist, and Ubiquiti support it, but you need to verify firmware versions. If you're running ageing hardware that predates 2015, budget for replacement.

Second, your RADIUS infrastructure needs to be capable of handling EAP-TLS or your chosen EAP method. Cloud RADIUS services from vendors like SecureW2, Foxpass, or Cisco ISE are common choices. If you're joining OpenRoaming, you'll need to register as an access provider with the WBA and configure your RADIUS proxy to route authentication requests via DNS NAPTR lookups.

Third — and this is where many deployments stumble — is the onboarding flow. Passpoint requires a profile to be installed on the device. For corporate-owned devices, this is straightforward: deploy via MDM. For guest devices, you need an onboarding mechanism — typically a one-time captive portal or a mobile app that installs the Passpoint profile. Once installed, subsequent connections are automatic. The friction is front-loaded, not repeated on every visit.

The most common pitfall I see is teams deploying Passpoint without testing across the full device matrix. Android behaviour varies significantly between manufacturers — Samsung, Google Pixel, and Chinese OEM devices all handle ANQP queries slightly differently. iOS has been consistently well-behaved since iOS 7, but you should test on current iOS and Android versions before go-live. Run a pilot on 10 to 20 percent of your access points in a single zone, measure connection success rates, authentication latency — target under 300 milliseconds — and helpdesk ticket volume before rolling out estate-wide.

The second common pitfall is RCOI misconfiguration. If you broadcast the wrong OI, or forget to include the legacy Cisco OI alongside the OpenRoaming OI, a significant proportion of devices will simply not attempt ANQP queries. Always broadcast both 5A-03-BA and 00-40-96.

[RAPID-FIRE Q&A — approximately 1 minute]

Let me address the questions I hear most often from IT teams.

"Does Passpoint replace our captive portal entirely?" Not necessarily. You can run both. Passpoint handles returning guests and corporate devices automatically. A captive portal remains available for first-time visitors or devices without a Passpoint profile. The two are complementary.

"What's the cost?" The incremental cost is primarily in RADIUS infrastructure and the WBA membership fee for OpenRoaming — typically a few thousand pounds per year for access providers. If your AP hardware already supports 802.11u, the software configuration cost is the main variable.

"Does it work with IoT devices?" Generally no. IoT devices rarely support 802.1X. Segment your IoT traffic on a separate SSID and reserve Passpoint for user-facing devices.

"What about analytics? Do we lose visibility?" This is a legitimate concern. With Passpoint, you don't get the same first-party data capture as a captive portal. Platforms like Purple can bridge this gap by integrating Passpoint onboarding with your CRM and analytics stack, so you retain guest intelligence without the login friction.

[SUMMARY & NEXT STEPS — approximately 1 minute]

Let me leave you with the key takeaways from today's briefing.

Hotspot 2.0 and Passpoint represent a fundamental shift from network-centric to credential-centric WiFi. The security benefits — mutual authentication, WPA3-Enterprise encryption, MITM prevention — are substantial and directly address the compliance requirements most enterprise IT teams face today.

The deployment is not trivial, but it is well-documented. Audit your hardware, configure your RADIUS infrastructure, plan your onboarding flow, and pilot before you roll out. Broadcast both the OpenRoaming and legacy Cisco RCOIs. Test across your full device matrix.

For venues where guest experience is a competitive differentiator — hotels, conference centres, stadiums — the elimination of captive portal friction is a measurable improvement in satisfaction scores. For retail environments, the security uplift directly supports PCI DSS compliance. For public-sector organisations, it provides a GDPR-defensible authentication mechanism at scale.

If you're evaluating whether Passpoint belongs in your roadmap, the question isn't really "should we deploy it?" The question is "how quickly can we get there?" The technology is mature, the device support is near-universal, and the business case is clear.

For more on how Purple's WiFi intelligence platform integrates with Passpoint and OpenRoaming deployments, visit purple.ai or speak to one of our solutions architects. Thanks for listening.

[END OF PODCAST]

Resumen ejecutivo

Para la empresa moderna, ofrecer una experiencia WiFi segura y sin interrupciones ya no es un lujo, sino un requisito operativo fundamental. WiFi Hotspot 2.0, también conocido como Passpoint, es un marco de trabajo estándar del sector diseñado para eliminar la fricción y los riesgos de seguridad asociados con el WiFi público y de invitados tradicional. Permite a los dispositivos móviles descubrir y autenticarse automáticamente en redes WiFi con seguridad WPA3 de nivel empresarial, reflejando la experiencia de roaming sin interrupciones de las redes móviles. Para un CTO o director de TI, esto se traduce en una reducción significativa de los problemas de conexión de los usuarios, una postura de seguridad reforzada frente a los ataques WiFi comunes y un proceso de autenticación optimizado que cumple con el GDPR y es inmune a los desafíos de la aleatorización de direcciones MAC. Al sustituir los Captive Portal inseguros y de alta fricción por una autenticación basada en credenciales y sin intervención (zero-touch), Passpoint mejora la satisfacción de los invitados, reduce la carga de soporte de TI y proporciona una base escalable para el roaming entre recintos y las estrategias de descarga de datos. Esta guía proporciona los detalles técnicos y el marco de implementación necesarios para integrar Passpoint en su infraestructura de red, impulsando mejoras tangibles tanto en la seguridad como en la experiencia del usuario.

Análisis técnico en profundidad

Hotspot 2.0 y su certificación subyacente, Passpoint, representan un cambio arquitectónico fundamental en la forma en que se descubren y acceden a las redes WiFi. La tecnología se basa en la enmienda IEEE 802.11u, que permite la comunicación previa a la asociación entre un dispositivo cliente y un punto de acceso. Esto permite que un dispositivo recopile información crítica sobre una red antes de establecer una conexión, pasando de un modelo heredado de reconocimiento de SSID a un modelo más inteligente de reconocimiento de credenciales.

Protocolos principales: ANQP, GAS y 802.11u

El mecanismo principal que permite este diálogo previo a la asociación es una combinación del Servicio de Anuncio Genérico (GAS) y el Protocolo de Consulta de Red de Acceso (ANQP). Así es como interactúan:

Balizamiento IEEE 802.11u: Un punto de acceso (AP) compatible con Passpoint incluye un Elemento de Interfuncionamiento (IE) en sus tramas de baliza. Esto actúa como un indicador, anunciando a los dispositivos cercanos que admite el descubrimiento de red avanzado.
Intercambio GAS y ANQP: Un dispositivo cliente que detecta este IE puede iniciar una consulta GAS al AP. Dentro de esta consulta, utiliza ANQP para hacer preguntas específicas sobre la identidad y las capacidades de la red. La consulta más crítica es sobre los Identificadores Organizacionales del Consorcio de Roaming (RCOI) compatibles con la red.
Coincidencia de credenciales: El AP responde con su lista de RCOI compatibles. Si alguno de estos coincide con un perfil de credenciales almacenado en el dispositivo cliente (por ejemplo, un perfil de un operador móvil, una marca de hotel o una red corporativa), el dispositivo sabe que puede autenticarse y pasa al siguiente paso. Si no se encuentra ninguna coincidencia, el dispositivo simplemente ignora la red, todo ello sin ninguna interacción por parte del usuario.

Marco de autenticación y seguridad

Una vez confirmada la coincidencia de credenciales, Passpoint aprovecha la sólida seguridad de IEEE 802.1X para la autenticación, normalmente con cifrado WPA2-Enterprise o el más seguro WPA3-Enterprise. Este es el mismo estándar de control de acceso a la red basado en puertos en el que confían las redes empresariales cableadas seguras. La autenticación se gestiona a través de un método de Protocolo de Autenticación Extensible (EAP), como:

EAP-TLS: Autenticación basada en certificados, considerada el estándar de oro en seguridad. Tanto el cliente como el servidor presentan certificados para demostrar su identidad.
EAP-TTLS/PEAP: Tuneliza un método de autenticación heredado (como nombre de usuario/contraseña) dentro de un túnel TLS seguro.
EAP-SIM/AKA/AKA': Autenticación basada en SIM, que permite a los operadores de redes móviles realizar el roaming de sus suscriptores sin interrupciones hacia redes WiFi de confianza.

Este proceso garantiza la autenticación mutua: el cliente valida que la red es legítima (evitando ataques de AP 'Evil Twin') y la red valida que el cliente está autorizado. Todo el tráfico posterior se cifra, mitigando el riesgo de ataques de intermediario (MITM) comunes en redes abiertas o basadas en PSK.

Passpoint frente a OpenRoaming

Es crucial distinguir entre Passpoint y OpenRoaming:

Passpoint es el vehículo; OpenRoaming es el sistema de autopistas.

Passpoint es el estándar técnico (802.11u, ANQP/GAS, 802.1X) que permite a un dispositivo descubrir y autenticarse automáticamente en una sola red o en un grupo de redes bajo el mismo control administrativo.
WBA OpenRoaming es un marco de federación global gestionado por la Wireless Broadband Alliance. Crea un ecosistema de confianza entre miles de Proveedores de Identidad (IdP), como operadores móviles, y Proveedores de Redes de Acceso (ANP), como hoteles, aeropuertos y cadenas minoristas. Esto permite que un usuario con una credencial de cualquier IdP miembro se conecte automáticamente en cualquier recinto de un ANP miembro, sin requerir complejos acuerdos bilaterales de roaming.

Para lograr la máxima compatibilidad en un entorno OpenRoaming, los arquitectos de red deben emitir tanto el RCOI estándar sin liquidación (5A-03-BA) como el RCOI heredado de Cisco (00-40-96).

Guía de implementación

La implementación de Passpoint es un proceso estructurado que va desde la auditoría de su infraestructura existente hasta un despliegue y optimización por fases. Seguir esta hoja de ruta garantizará una transición fluida y mitigará los errores de implementación comunes.

Fase 1: Auditoría de infraestructura

Antes de comenzar, evalúe su hardware y software de red actuales. Los puntos clave de la auditoría incluyen:

Compatibilidad de los puntos de acceso: Verifique que sus AP admitan IEEE 802.11u. La mayoría de los AP de nivel empresarial fabricados después de 2015 (de proveedores como Cisco, HPE Aruba, Juniper Mist, Ruckus) cuentan con el hardware necesario, pero pueden requerir una actualización de firmware.
Preparación del servidor RADIUS: Necesitará un servidor RADIUS (o AAA) capaz de gestionar la autenticación EAP 802.1X. Puede ser una solución local como Cisco ISE o un servicio basado en la nube como SecureW2, Foxpass o Google Cloud Identity.
Evaluación de PKI: Para las implementaciones de EAP-TLS, se requiere una Infraestructura de Clave Pública (PKI) para emitir y gestionar certificados digitales para dispositivos cliente y servidores.

Fase 2: Configuración de identidad y certificados

Esta fase implica la configuración de los componentes principales de autenticación:

Configuración del dominio NAI: Defina sus dominios de Identificador de Acceso a la Red (NAI), que identifican su dominio de autenticación (por ejemplo, @suempresa.com).
Registro de RCOI: Si participa en un consorcio de roaming como OpenRoaming, registre sus RCOI en la WBA.
Generación de certificados: Para EAP-TLS, genere e implemente certificados de cliente en sus dispositivos administrados a través de una solución de Gestión de Dispositivos Móviles (MDM). Para el acceso de invitados, necesitará un mecanismo para aprovisionar un perfil con la cadena de confianza de certificados necesaria.

Fase 3: Implementación piloto

Comience con un piloto controlado en un área limitada, como una sola planta o una zona específica del recinto, cubriendo entre el 10 y el 20 % de sus AP. Los objetivos del piloto son:

Establecer una línea base: Mida las tasas actuales de éxito de conexión, la latencia de autenticación y el volumen de tickets del servicio de asistencia técnica relacionados con el WiFi.
Probar la matriz de dispositivos: Pruebe la experiencia de incorporación y conexión en una amplia gama de dispositivos (iOS, varios fabricantes de Android como Samsung y Google Pixel, Windows, macOS).
Perfeccionar la incorporación: Ajuste el proceso para instalar el perfil de Passpoint en dispositivos de invitados no administrados.

Fase 4: Despliegue completo

Una vez que el piloto haya cumplido sus criterios de éxito (por ejemplo, >98 % de éxito de conexión, latencia de autenticación <300 ms), proceda con un despliegue completo en todos los AP y recintos. Esta fase incluye:

Configuración completa de los AP: Envíe la configuración WLAN estandarizada de Passpoint a todos los puntos de acceso.
Aprovisionamiento de dispositivos corporativos y del personal: Asegúrese de que todos los dispositivos propiedad de la empresa estén aprovisionados con el perfil de Passpoint a través de MDM.
Habilitar la federación OpenRoaming: Si corresponde, habilite las reglas de proxy RADIUS para participar en la federación OpenRoaming.

Fase 5: Optimización y monitorización

Tras el despliegue, monitorice continuamente el rendimiento y la seguridad de la red:

Seguimiento de KPI: Realice un seguimiento de los indicadores clave de rendimiento, comparándolos con la línea base del piloto. Las métricas clave incluyen la tasa de éxito de conexión, la latencia de autenticación, el éxito del roaming y el rendimiento de datos.
Análisis de roaming: Utilice la analítica para comprender los patrones de roaming entre sus recintos y con los socios de roaming.
Auditorías de seguridad: Realice auditorías de seguridad periódicas para garantizar la integridad de su infraestructura RADIUS y PKI.

Mejores prácticas

Para maximizar el éxito y la seguridad de su implementación de Passpoint, siga las siguientes mejores prácticas estándar del sector.

Categoría	Mejor práctica	Justificación
Seguridad	Exigir WPA3-Enterprise	WPA3 proporciona el nivel más alto de seguridad, con una solidez criptográfica de 192 bits y Tramas de Gestión Protegidas (PMF) para evitar ataques de desautenticación.
Seguridad	Utilizar EAP-TLS para dispositivos corporativos	La autenticación basada en certificados es más segura que los métodos basados en contraseñas y es inmune al phishing y al robo de credenciales.
Compatibilidad	Emitir múltiples RCOI	Para garantizar una amplia compatibilidad de dispositivos, emita tanto el RCOI moderno de OpenRoaming (`5A-03-BA`) como el RCOI heredado de Cisco (`00-40-96`).
Experiencia del usuario	Optimizar la incorporación de perfiles	La incorporación inicial es el único punto de fricción. Utilice un Captive Portal sencillo de un solo uso o una aplicación ligera para que la instalación del perfil sea lo más fácil posible.
Diseño de red	Segmentar dispositivos IoT	La mayoría de los dispositivos IoT no admiten 802.1X. Deben segmentarse en un SSID independiente y debidamente protegido (por ejemplo, mediante MPSK o autenticación MAC) y no mezclarse con el tráfico de Passpoint.
Operaciones	Integrar con analítica	Para mantener la visibilidad del comportamiento de los invitados en ausencia de un Captive Portal, integre sus registros de autenticación de Passpoint con una plataforma de analítica WiFi como Purple.

Resolución de problemas y mitigación de riesgos

Incluso las implementaciones bien planificadas pueden encontrar problemas. A continuación se muestran los modos de fallo comunes y cómo mitigarlos.

Síntoma	Causa potencial	Estrategia de mitigación
Los dispositivos no intentan conectarse	Discrepancia de RCOI o RCOI faltante	Verifique que sus AP estén emitiendo los RCOI correctos, incluido el OI heredado `00-40-96`. Utilice una herramienta de análisis WiFi para inspeccionar las tramas de baliza.
Fallos de autenticación (EAP)	Mala configuración del servidor RADIUS / Problemas de certificados	Revise los registros de RADIUS para ver los códigos de error detallados. Asegúrese de que los certificados de cliente sean válidos y que el servidor confíe en la CA emisora del cliente. Verifique que el certificado del servidor sea válido y que los clientes confíen en él.
Alta latencia de autenticación	Respuesta lenta de RADIUS / Problemas en la ruta de red	Garantice una baja latencia entre los AP y el servidor RADIUS. Si utiliza un RADIUS en la nube, compruebe si hay congestión en la red o problemas de enrutamiento. Apunte a un tiempo de respuesta inferior a 300 ms.
Comportamiento inconsistente en Android	Implementación de ANQP/GAS específica del OEM	Pruebe exhaustivamente en una variedad de dispositivos Android durante la fase piloto. Algunas versiones de Android más antiguas o menos comunes pueden tener implementaciones de 802.11u con errores.
Fallos de roaming entre recintos	Configuración WLAN inconsistente	Asegúrese de que el perfil WLAN de Passpoint (SSID, configuración de seguridad, RCOI) sea absolutamente idéntico en todos los recintos destinados a un roaming sin interrupciones.

ROI e impacto empresarial

Aunque Passpoint es una solución técnica, su impacto se mide en resultados empresariales. El retorno de la inversión está impulsado por las mejoras en la eficiencia operativa, la experiencia del usuario y la postura de seguridad.

Análisis de coste-beneficio

Costes de inversión:

Hardware: Posibles actualizaciones de AP si el hardware existente no es compatible con 802.11u.
Software/Licencias: Costes de las licencias del servidor RADIUS (por ejemplo, Cisco ISE) o de los servicios AAA en la nube.
Cuotas de federación: Cuotas anuales de membresía por participar en WBA OpenRoaming.
Implementación: Servicios profesionales o tiempo del personal interno para la configuración, las pruebas y el despliegue.

Retornos y beneficios esperados:

Reducción de los gastos generales de TI: Una reducción significativa de los tickets del servicio de asistencia técnica relacionados con el WiFi. Un resultado común es una disminución del 40-60 % en los tickets relacionados con problemas de conectividad WiFi.
Mayor satisfacción de los invitados: La eliminación de la fricción de inicio de sesión conduce a un mayor Net Promoter Score (NPS) y a mejores reseñas, especialmente en el sector hotelero.
Mejora de la seguridad y el cumplimiento: Mitiga el riesgo de filtraciones de datos por ataques basados en WiFi, respaldando el cumplimiento de PCI DSS y GDPR y reduciendo las posibles sanciones financieras.
Mejora de la descarga de datos: Para los operadores móviles y sus socios de recintos, Passpoint permite la descarga automática y segura de datos móviles a WiFi, reduciendo la tensión en la red móvil.
Mayor interacción: Una conexión sin interrupciones anima a los usuarios a permanecer más tiempo en el lugar y a interactuar más con los servicios digitales, impulsando los ingresos en entornos minoristas y hoteleros.

Al medir los KPI, como el volumen de tickets del servicio de asistencia técnica, las puntuaciones de satisfacción de los invitados y las tasas de éxito de conexión antes y después de la implementación, los equipos de TI pueden crear un caso de negocio convincente que demuestre un ROI claro y medible.

Key Terms & Definitions

IEEE 802.11u

An amendment to the IEEE 802.11 standard that enables 'interworking with external networks'. It allows client devices to exchange information with an access point before establishing a connection.

This is the foundational protocol that makes Hotspot 2.0 possible. When an IT team sees that an AP is '802.11u capable', it means it can support the discovery mechanisms required for Passpoint.

ANQP (Access Network Query Protocol)

The specific protocol used by a client device to query an access point about its capabilities, such as roaming partners, venue type, and authentication methods.

Network architects will configure ANQP elements on their wireless controllers to advertise network services. Troubleshooting often involves analyzing ANQP frames to see what information the AP is providing to clients.

GAS (Generic Advertisement Service)

The transport mechanism defined in 802.11u that carries ANQP frames between the client and the access point before an association is formed.

GAS and ANQP work together. GAS is the 'envelope' and ANQP is the 'letter' inside. When troubleshooting, packet captures will show GAS frames containing the ANQP queries and responses.

RCOI (Roaming Consortium Organizational Identifier)

A unique identifier that represents a group of network providers who have a roaming agreement. It's the primary piece of information a device looks for to decide if it can automatically connect.

This is a critical configuration item. An IT manager must ensure their APs are broadcasting the correct RCOIs for their own organization and any roaming partners like OpenRoaming. A missing or incorrect RCOI is a common cause of connection failures.

WPA3-Enterprise

The highest level of WiFi security, which uses 192-bit encryption and requires 802.1X authentication. It provides robust protection against eavesdropping and other sophisticated attacks.

For any organization concerned with security and compliance (PCI DSS, GDPR), deploying WPA3-Enterprise is a non-negotiable best practice. Passpoint is the most user-friendly way to implement it at scale.

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

An EAP method that uses client-side and server-side digital certificates for mutual authentication. It is considered the most secure EAP method.

This is the recommended method for securing corporate-owned devices. IT teams will use an MDM to push certificates to devices, enabling zero-touch, highly secure network access.

RadSec (RADIUS over TLS)

A protocol that secures RADIUS authentication traffic by tunneling it through a TLS-encrypted connection (typically over TCP port 2083).

When setting up roaming with OpenRoaming or other external partners, network architects will use RadSec to ensure that authentication requests traversing the public internet are fully encrypted and secure.

NAI (Network Access Identifier)

A standardized way of identifying a user in an 802.1X authentication request, typically formatted like an email address (e.g., 'user@realm'). The realm portion is used to route the request to the correct home RADIUS server.

IT teams configure NAI realms to define their authentication domains. In a roaming scenario, the realm of the user's NAI determines which Identity Provider's RADIUS server needs to process the authentication request.

Case Studies

A 500-room luxury hotel with multiple conference wings wants to eliminate its cumbersome captive portal. Corporate guests frequently complain about having to re-authenticate multiple times per day as they move between their room, the conference centre, and the restaurant. The hotel needs to maintain PCI DSS compliance for its payment systems.

The recommended solution is a phased Passpoint deployment integrated with WBA OpenRoaming. Phase 1 (Pilot): Deploy Passpoint in the main conference wing and on one floor of guest rooms. Configure the WLAN to broadcast the hotel's own RCOI and the OpenRoaming RCOI. Use EAP-TLS for corporate-managed devices (provisioned via MDM by their employers) and provide a simple, one-time onboarding portal for guests to install a Passpoint profile with an EAP-TTLS credential. Phase 2 (Rollout): After a successful pilot, extend the Passpoint WLAN to all guest rooms, public areas, and restaurants. Decommission the legacy captive portal SSID, but keep a single, hidden SSID for specific back-of-house devices that do not support 802.1X. Security: The use of WPA3-Enterprise and 802.1X provides traffic encryption and mutual authentication, satisfying key PCI DSS requirements for securing wireless environments.

Implementation Notes: This approach correctly prioritizes a phased rollout to minimize risk and validate the user experience. By supporting both a private RCOI and OpenRoaming, the hotel can serve its direct guests while also attracting subscribers from major mobile carriers. The decision to retain a hidden, non-Passpoint SSID for legacy devices is a pragmatic choice that avoids disrupting essential hotel operations.

A large retail chain with 200 stores across the country wants to offer seamless WiFi to its loyalty program members. They also want to offload traffic from their in-store staff's cellular devices to the corporate WiFi to ensure reliable access to inventory and POS applications. The existing infrastructure is a mix of Cisco Meraki and Aruba hardware.

The solution is to create a unified Passpoint strategy across the mixed-vendor environment. Step 1 (Onboarding): Integrate Passpoint profile generation into the loyalty program's mobile app. When a user signs into the app, it automatically installs the Passpoint profile with a unique EAP-TTLS credential. Step 2 (Staff Provisioning): Use the company's MDM to push a separate Passpoint profile to all corporate-owned staff devices, configured for EAP-TLS using device certificates for zero-touch authentication. Step 3 (Network Configuration): In both Cisco Meraki and Aruba Central dashboards, create a new WLAN profile for Passpoint. Enable Hotspot 2.0, set security to WPA3-Enterprise, and add the company's RCOI and the OpenRoaming RCOI. Point authentication to a central cloud RADIUS server to ensure consistent policy enforcement across all stores. Step 4 (Analytics): Ingest RADIUS authentication logs into the Purple analytics platform to correlate WiFi connections with loyalty member IDs, tracking visit frequency and dwell time without a captive portal.

Implementation Notes: This solution effectively leverages the mobile app as the onboarding vehicle, which is a best practice for large-scale guest deployments. Using a central cloud RADIUS is critical for managing a consistent authentication experience across a distributed, multi-vendor network. The separation of guest (EAP-TTLS) and staff (EAP-TLS) profiles allows for different security policies and network access levels.

Scenario Analysis

Q1. You are the network architect for a large international airport. You want to implement Passpoint to provide seamless roaming for travelers from major cellular carriers. During your pilot, you notice that a large number of Android devices are not automatically connecting, while iOS devices are connecting successfully. What is the most likely cause and your first troubleshooting step?

💡 Hint:Consider the differences in how various device manufacturers implement the 802.11u standard and what specific information they look for during discovery.

Show Recommended Approach

The most likely cause is a misconfiguration of the Roaming Consortium Organizational Identifiers (RCOIs). Many Android devices, particularly older models or those with manufacturer-customized operating systems, rely on the legacy Cisco RCOI (00-40-96) to initiate an ANQP query. If only the modern OpenRoaming RCOI (5A-03-BA) is being broadcast, these devices will not attempt to connect. The first troubleshooting step is to use a WiFi analysis tool to inspect the beacon frames from the pilot APs and verify that both the OpenRoaming and the legacy Cisco RCOIs are being broadcast.

Q2. A retail chain has successfully deployed Passpoint with OpenRoaming in all its stores. The marketing team now wants to know if they can still gather customer analytics, such as visit frequency and dwell time, which they previously collected via the captive portal. What is your recommendation?

💡 Hint:Where in the new authentication flow can user identity be correlated with a connection event? Can this be done while respecting privacy and the principles of the OpenRoaming federation?

Show Recommended Approach

While Passpoint eliminates the captive portal, it is still possible to gather valuable analytics. The recommended approach is to leverage the RADIUS authentication logs. Each time a user connects, an authentication request is sent to the RADIUS server, which contains the user's Network Access Identifier (NAI). By integrating the RADIUS server with an analytics platform like Purple, the NAI can be used as a persistent anonymous identifier to track visit frequency and dwell time. This provides the marketing team with the data they need without reintroducing login friction for the user. It's important to ensure this process is compliant with privacy policies and the terms of the roaming federation.

Q3. A conference centre is setting up a Passpoint network. They plan to use EAP-TLS for staff and event organizers, but need a solution for thousands of temporary attendees. They are considering using EAP-TTLS with usernames and passwords distributed at registration. What is a significant security risk of this approach and what is a better alternative?

💡 Hint:Think about the lifecycle of shared credentials and the security of the 'inner' authentication method in EAP-TTLS.

Show Recommended Approach

The significant risk of using shared EAP-TTLS credentials (username/password) is the lack of revocation and accountability. If a credential pair is compromised, it can be used by an unauthorized party until it expires, and it's difficult to trace activity back to a specific individual. A better and more secure alternative is to use an onboarding portal that generates a unique Passpoint profile for each attendee. This can be done by having the attendee scan a QR code or visit a one-time URL. The portal generates a profile containing a unique, short-lived digital certificate (for EAP-TLS) or a unique EAP-TTLS credential. This ensures that each user has a distinct identity, and access can be revoked on a per-user basis if necessary, providing much stronger security and accountability.

Key Takeaways

✓WiFi Hotspot 2.0 (Passpoint) enables seamless, zero-touch roaming for users by automatically authenticating devices to trusted WiFi networks.
✓It replaces insecure, high-friction captive portals with credential-based authentication using the enterprise-grade WPA3-Enterprise security standard.
✓The core technology relies on the IEEE 802.11u standard, which allows devices to query network information (via ANQP/GAS) before connecting.
✓Mutual authentication (802.1X) is a key security benefit, protecting against 'Evil Twin' and Man-in-the-Middle (MITM) attacks.
✓OpenRoaming is a global federation that works with Passpoint to allow seamless roaming across thousands of different network providers.
✓A successful deployment requires a phased approach: audit your infrastructure, run a pilot to test across all device types, and then perform a full rollout.
✓Key business benefits include reduced IT helpdesk costs, improved guest satisfaction, enhanced security compliance (PCI DSS, GDPR), and new opportunities for data offload and analytics.